Why are fake Elon Musk bitcoin scams running rife on Twitter right now?

Scammers are hijacking verified accounts and using them to imitate the Tesla boss as part of a new bitcoin con.
Written by Danny Palmer, Senior Writer

Hackers have compromised a series of high-profile Twitter accounts to mount a bitcoin scam where they pose as Tesla CEO Elon Musk.

The verified Twitter accounts of film producer Pathe UK, British fashion retailer Matalan, US publisher Pantheon Books, and independent record label Marathon Artists, are among those hijacked by attackers.

In some cases, the scammers even used promoted Tweets to help the campaign reach a wider number of Twitter users.


Pathe UK account hacked to display bitcoin scam in a Promoted Tweet.

Image: CBSi

Twitter accounts are verified with a blue tick, helping users spot whether accounts for well-known individuals and companies are genuine, and hackers appear to be exploiting that badge of authenticity to make scams more effective.

"Being able to hijack verified accounts is a potential goldmine for cryptoscammers banking on the visibility of the Tesla CEO," Chris Boyd, lead malware intelligence at Malwarebytes, told ZDNet.

"Verified entities don't need any extra requirements to change basic profile details such as name or avatar, and once the account is compromised you can then start pushing rogue ads under the guise of Elon".

The hacked accounts are changed to use the name and likeness of the Tesla CEO and claim he's giving away cryptocurrency. The accounts also retweet various posts by Musk, Tesla and Space X, in an effort to look more like the real Elon Musk account.


The compromised Matalan Twitter account retweeted Elon Musk Tweets to look more legitimate.

Image: CBSi

Twitter users are asked to contribute a small amount of bitcoin in exchange for a larger amount -- but users receive nothing from the scam.

The bitcoin wallets associated with the scam suggest the campaign has been successful for the attackers, with almost 400 users contributing a combined total of 28 bitcoin to the cryptocurrency wallets -- currently the equivalent of £137,000 ($180,000). That's despite some of the scams being laced with spelling errors and bad English.

Often scammers have used other compromised accounts to respond to the initial post, claiming they've received a bitcoin payment in a move designed to trick users into thinking the scheme is legitimate.

In most cases, the affected accounts have been recovered and the scam Tweets deleted in the space of a few hours, but in some, the compromised accounts have continued to display posts made by attackers for an extended period.

In both cases, the scams have stayed up for enough time for attackers to con Twitter users into handing over bitcoin -- but Twitter says it is responding to these incidents as efficiently as possible.

"Impersonating another individual to deceive users is a clear violation of the Twitter Rules. Twitter has also substantially improved how we tackle cryptocurrency scams on the platform," a Twitter spokesperson told ZDNet.

"In recent weeks, user impressions have fallen by a multiple of 10 as we continue to invest in more proactive tools to detect spammy and malicious activity. This is a significant improvement on previous action rates," they added.

Twitter doesn't enforce two-factor authentication (2FA) on verified accounts, but recommends it as a precaution for users. However, the way in which accounts are regularly being compromised suggests that many users aren't adopting this additional layer of protection.

SEE: What is phishing? Everything you need to know to protect yourself from scam emails and more

Some users are willing to sacrifice additional security for the convenience of accessing their account a little quicker, said Malwarebytes' Boyd.

"There's no easy way to force verified users to keep security settings such as two factor enabled, and all it takes is one successful phish to set a scam in motion," he said.

"Many verified accounts are used by multiple people, and I suspect some switch off some of the security features for ease of use -- that's where things tend to start going wrong."

A Pathe UK spokesperson told ZDNet that the firm was hacked by "an unknown third party" but that the issue had "now been resolved". They didn't confirm if the account was using 2FA prior to the attack.

Meanwhile, Matalan has also regained control of its account, telling users: "Apologies for the brief interlude. You know you're important when someone takes the time to hack your account!". ZDNet contacted Matalan but hadn't received a reply at the time of writing.


Matalan's response to regaining control of the company Twitter account.

Image: CBSi

None of the affected firms have detailed how they fell victim to the scammers, but it's likely a phishing attack played a significant role.

This type of Twitter scam first appeared earlier this year, with unverified accounts claiming to be Elon Musk asking for bitcoin in responses to Tweets by the Tesla boss and his companies. The same type of campaign has also seen attackers pose as other high-profile individuals and companies.

Musk has previously asked Dogecoin co-creator Jackson Palmer to help provide a fix to the scam accounts issue.


Editorial standards